Phone Number +1-202-802-9399 (US)

Thycotic is now Delinea!

The Lockdown

Thycotic’s Cyber Security Blog

Thycotic SCIM Connector for Integrations with Secret Server


Written by Barbara Hoffman

May 30th, 2019

Today, many organizations have both privileged account management (PAM) and identity governance solutions that operate independently. As a result, organizations lack the ability to have a unified view of identities. As we discussed in “Top PAM Technology Integrations,” while PAM secures access to key system and admin accounts, integration with Identity & Access Management (IAM) and Identity Governance and Administration (IGA) allows for the automation and interoperability of user access. IT teams can also gain full visibility into user access and role assignments as well as ongoing user and role changes

The System for Cross-Domain Identity Management (SCIM) was specifically designed to make managing user identities in cloud-based applications and services easier. It is a code standard that allows platforms to make a request for user information while keeping the privileged data associated with that user information secure. The SCIM standard effectively breaks this access down into three parts:

  • Users and Groups – These are the objects that are applied to the access rights of a Container. These map to user accounts and groups across both systems.
  • Containers – These are the objects that are managed for access, and they are also the containers that the Privileged Data live inside of. In Secret Server these are the equivalent of Folders, where each Container is a Folder.
  • Privileged Data – This is the privileged data that users and groups are ultimately trying to get access to. In Secret Server these are the equivalent to Secrets.

Using this structure organizations can add, modify, or remove the access of users and/or groups to a container, and this access in turn allows or prevents users/groups from accessing the Privileged Data (i.e. Secrets) in those containers.

SCIM: Users / Groups apply access to Containers


The SCIM standard handles the communication of this managed access between the applications/programs by requiring requests for user information to follow a set format. This format allows the standard to identify the user/group by a specific ID value or attribute and then add, modify or remove their access to any containers, without displaying or returning the actual privileged data (i.e. Secrets) that are inside the containers. The format uses a set of RESTFUL services (GET, POST, PUT, DELETE) to be made while allowing filters to be applied to narrow down the returned results. For more details on the SCIM format and model, please see the following:

Leveraging the SCIM standard, Thycotic’s SCIM Connector allows the automation and interoperability of user access. IT teams attain visibility into user access and role assignments as well as ongoing user and role changes.

Let’s look at a scenario where Thycotic Secret Server and SailPoint IdentityIQ are configured to work together (see Figure 2).  Our SCIM Connector allows identity management platforms to control entitlements without switching between platforms. When configured with SailPoint IdentityIQ workflows that allow users to provision or modify entitlements can be set up in Secret Server directly from inside IdentityIQ.

Our SCIM Connector allows identity management platforms to control entitlements without switching between platforms.


Once both platforms are configured to work with the SCIM Connector application, users that have access to make changes can add, modify or remove access to containers directly using SailPoint’s user interface.  The changes will then be applied in Secret Server. Since the access to these containers can be modified directly in SailPoint IdentityIQ, that means you can use IdentityIQ workflows to enforce this process, triggering approvals and other events that you would normally define in your workflow. Once the workflow process is complete, a user’s access to that container  will be modified in Secret Server. This is all being done from within one platform (SailPoint IdentityIQ in this example), so users don’t need to switch over to Secret Server to apply the changes and the Secrets themselves are not exposed to any of the users involved in this process.

Another advantage of using the SCIM standard, through the SCIM Connector, is that Secret Server can communicate with multiple SCIM enabled platforms at one time, all without requiring coding efforts on either side to help interpret calls and requests that are made from either direction.

Secret Server can communicate with multiple SCIM enabled platforms at one time.


If both platforms are using the SCIM standard each side will understand the requests and responses being sent. The SCIM Connector application will accept any requests that are made in the SCIM format from a vendor application/program and will convert those requests into information Secret Server can understand, returning responses in that same SCIM standard format.

The SCIM Connector itself installs as a separate application that can be installed on a Windows Server machine that has IIS enabled and uses .Net 4.5.1 or later. The SCIM Connector application can be installed inside the same environment as Secret Server and/or the vendor application (i.e. the other SCIM Endpoint) or in a separate environment, as long that environment still has access to connect to both Secret Server and the third party SCIM application. The installation itself is quick and sets up a Web Application on the machine that acts as the point of contact for communication.

After installation the SCIM Connector also has its own set of access credentials to ensure that only user accounts that are supposed to have access can create or manage SCIM application Endpoint connections, and logging is available to help track any SCIM calls that are made. Connections to Secret Server and other SCIM Endpoints can be specified within the application, and each connection can use its own set of credentials to help limit and secure any requests that are made.

In short, it’s all about making it easier to manage secure access. It’s easy to manage and use the SCIM code standard to enable secure communication between Thycotic Secret Server and other SCIM enabled applications, to help synchronize and manage user identities across an organization from a single place.

View more information on the Thycotic SCIM Connector application.

PAM Experts Guide

Take your Privileged Access Management to the Next Level

Free Download: Expert's Guide to Privileged Access Management (PAM) Success